Spanning tree per vlan on 2524?

We are installing an E500 virus filtering appliance. Logically, it functions as a bridge, but filters web traffic passing thru it for viruses. We set up a second VLAN on a 2524 to support the outside interface, can't get it to work right. I suspect a spanning tree issue, even though spanning tree is disabled on the 2524.

You can see this would be a spanning tree violation if spanning tree were on and the switch didn't support separate spanning tree per VLAN (802.1s). I can't find out if the 2524 supports 802.1s or not, but spanning tree is disabled on the switch so it shouldn't matter.

When I substitute a separate switch for 2524_VLAN2 everything works. When the E500 is connected to VLAN2 it works if the E500 is disconnected from VLAN1. Whenever one port on the E500 is connected to VLAN1 and the other is connected to VLAN2, pings to the management address of the E500 mostly fail but occasionally succeed but no traffic can get thru to the Internet.

So, what's going on? Is this a limitation of the 2524? I can put in another switch if necessary, but there is no room in the rack.

Re: Spanning tree per vlan on 2524?

There is something I do not understand on your configuration... Is E500 able to act as a router ?If you set up 2 VLAN, you NEED to put something able to route paquest from one VLAN to another.If E500 is not set to do so, then your problem is due. Put a router linking your vlans, and eveything'll be alright. That is maybe what happens when you describe substituting separate switch.Maybe can you set up E500 to act as a router, but I do not see any routing table configuration possibility on the docs.hth

The inside_router is the default gateway for the inside_net. The firewall is the default gateway for the inside_router to reach the Internet. The inside_router is the gateway the firewall uses to reach the inside_net. The E500 is a bridge, looks like another switch hop except that it filters HTTP traffic looking for viruses.

When VLAN2 is replaced with a separate switch (switch2 below) then everything works:

Re: Spanning tree per vlan on 2524?

Ok,I understand from that that you have a router abble to adress packets toward external side of your network.There must be somewhere kinda configuration problem on your vlan settings, as it is the only difference between non working and working scheme as you reports.Check that point, vlan, tagged/untagged, router-interface, ports address and corresponding on your routers.hthJerome

Re: Spanning tree per vlan on 2524?

Here's the config from the switch. I don't know how readable it will be, but there it is.

Note that at the end it configures spanning tree, even though I turned it off in the menu. I really think I need spanning tree turned off but I can't figure out how to do it - I don't work with HP switches very often.

I'm wondering about turning off GVRP (unknown-vlans disable) on the VLAN2 ports, if that might help.

Re: Spanning tree per vlan on 2524?

Here's the config from the switch. I don't know how readable it will be, but there it is.

Note that at the end it configures spanning tree, even though I turned it off in the menu. I really think I need spanning tree turned off but I can't figure out how to do it - I don't work with HP switches very often.

I'm wondering about turning off GVRP (unknown-vlans disable) on the VLAN2 ports, if that might help.

Re: Spanning tree per vlan on 2524?

Hi,sorry for this delay, it's now morning in my time zone.I do not get clearly why you want to disable spanning tree, as your problem seems to be VLAN one (whatsoever, refer to my post to your other question for disabling it).On your config, here is how it should be :1. On your switch, let's assume that E500 is plgged to port 1 and port 2.Create VLAN 1. You put port 1 in this VLAN as untagged.2. Create VLAN 2. You put port 2 in this VLAN as untagged.Now you have both VLAN anable to commnicate with each other.On your config, ports 22-24 are both seen untagged and tagged, which means that they are untagged to VLAN 2 and tagged to VLAN 1, such there is no real VLAN, and it doesn't work.Does it seem helpful ?J

Re: Spanning tree per vlan on 2524?

Ok, I've done some more experimenting and here's my current theory.

Using "Status and Counters" / "Address Table" / "Search" I learned that the switch will only associate a particular mac address with a single port. Doesn't matter if you have multiple vlans, except the vlan boundary blocks a packet that would otherwise be forwarded.

Here's an illustration.

HostA mac = 1HostB mac = 2SWC is a switch with two vlans.SWD is a normal switch.SWE is another normal switch.

HostA -> SWC_VLAN1 -> SWD -> SWC_VLAN2 -> HostB doesn't work.

HostA -> SWC_VLAN1 -> SWD -> SWE -> HostB works.

When SWC_VLAN2 is replaced by a separate switch it works. Because they are different vlans in the same switch, it can only learn the mac address of HostA and HostB in on one port.

Let's assume it learns it on the port that the hosts are actually connected to. Packet destined for HostB comes into VLAN1, the switch sees that HostB is connected to a port in VLAN2 and doesn't forward the packet because doing so would cross VLAN boundaries.

Does this make sense? Is this why you were saying I needed a router? Note that replacing either VLAN with a totally separate switch makes the configuration work. I'll have to test this on a Cisco switch and see if it works the same way.

Re: Spanning tree per vlan on 2524?

You're right ! That's exactly why I was thinking about a router, as communication can't be done anymore based on mac adresse, as VLAN is virtually cutting your switch in two pieces (2 switches, smaller though, for the same price !), so A and B can't communicate anymore based on MAC ; router anable them (or vlans) to communicate based on IP address, thus saying 'the way to B Ip is thru VLAN2 switch port IP)...If this week end is rainny, read a few tips about tha whole stuff here :http://computer.howstuffworks.com/lan-switch8.htmHow are you going to proceed, so ?J

Re: Spanning tree per vlan on 2524?

On reading back these pages, I feel that maybe you know already the whole content.Sorry if it's the case...BTW, do not hesitate assigning points if you feel those posts helped : I'm feed with them ! :-)J